With the merge of Gerrit change 264309,[1] to be deployed with 1.27.0-wmf.12, note the following changes to the PHP interface around login and account creation tokens:

- LoginForm::setLoginToken() and LoginForm::setCreateaccountToken() are deprecated and no longer do anything. The token is automatically created when fetched. - LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() now return a MediaWiki\Session\Token object rather than a string. This object implements __toString(), so automatic casting to a string is supported and will likely mask this change for many uses. - The token strings themselves are now similar to edit tokens: they're longer, end in "+", and include an embedded timestamp for expiration. - Due to the embedded timestamp, tokens must now be compared using the ->match() method on the Token object. String equality comparison will no longer work. - It is no longer possible to determine if the token was not already generated for the session by looking for an empty response from LoginForm::getLoginToken() and LoginForm::getCreateaccountToken(). If this is necssary (it shouldn't be), use the ->wasNew() method on the Token object.

If your PHP code makes use of login or account creation tokens for some reason, please check to see if your code needs updating for these changes.

For the record, a new method User::getEditTokenObject() has been added to fetch edit tokens as MediaWiki\Session\Token objects as well, but User::getEditToken() and User::matchEditToken() have not been changed or deprecated at this time.

Note that API clients and other non-PHP users of these tokens are unlikely to be broken by this change. See https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-January/00... for details on changes to the API related to this change.

[1]: https://gerrit.wikimedia.org/r/#/c/264309/